• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 20 subscribers
  • Views 6072 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Migration doesn't mail-enable target user. Administrative Group not found

gavin.gallagher
over 6 years ago

guys, have an error when migrating a user, this is a pilot migration for en existing environment that has been sat idle for a long while. Service accounts appear to have all the rights necessary however, the AD Account is migrated to target but is not mail enabled. The below error exists in the dsa.log.

 

Error 0xea00009c. Administrative group not found, directory server: "domaincontroller.com", Exchange server: "CN=DB4,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=DomainGroup,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DC,DC=Domain,DC=com" LDAP error 0x20. No Such Object (0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Domain Group,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=Domain,DC=com' ).

 

A single KB points to rights to the Exchange container, which the service account does have rights to...

Any ideas?

Thanks in advance

 

  • 0 over 6 years ago
    Good Day,
    This one may be too tricky to get to root cause on the forum, but here are my thoughts.

    Perhaps that particluar administrative group no longer exists in the environment? You could find it by looking in ADSIEdit,at the configuration of the organizaiton. Also, ensure your service account isn't part of any protected groups, ie. Domain Admins, Enterprise Admins, Schema admins and the like.

    Most of the time, these errors are exactly that, permissions.
    support.quest.com/.../granular-account-permissions

    You may want to look at your directory synchronization configuration > Specify Exchange options > Source or target Database that it's pointing to for creationg of the mail enabled objects, and perhaps try another. WARNING - Changing this setting will cause a Resynchronization.

    Otherwise, if none of this helps, please create a "Service Request" with support, and we will assist.
    Luke
  • 0 over 6 years ago
    Thanks Luke, as you suggest... a fresh pair of eyes on the ADSI permissions has sorted this. Seems someone had added the target service account correctly; but misconfigured the Sync Pair with the wrong target Domain account...

    Many thanks for a quick response.

    Gavin